Shylock Malware Detects VMs to Evade Analysis

The sophisticated banking Trojan gains a new trick: The ability to detect virtual machines controlled using remote sessions, a common configuration for researchers.

A sophisticated banking Trojan known as Shylock has gained a new trick: The ability to detect whether it's running in a virtual machine (VM) that is being analyzed by malware researchers.

While malware, such as the infamous Conficker worm, has used a variety of anti-VM techniques to attempt to make analysis more difficult, Shylock may be the first to detect whether the VM is actively being controlled by a researcher through a remote connection, according to software security firm Trusteer. Virtual machines are commonly used by malware researchers and analysts to run programs in a simulated environment to more easily detect malicious behavior.

"We see more institutions and corporations use network scanning tools to grab potentially dangerous files off a system, and then a malware analyst will use a remote desktop to access the machine where it is stored," said George Tubin, senior security strategist for Trusteer. "And so malware authors are looking for researchers who are accessing the virtual machines from a remote desktop."

When Shylock detects that it is running in a virtual environment, the program will exit, according to Trusteer.

While Shylock and other malware attempt to prevent themselves from running in virtual machines, VMs have become such a common part of infrastructure that other malicious programs seek out such systems. The Crisis malware, for example, would find and infect virtual-machine images through functions normally used to patch the virtual systems. In addition, researchers have found techniques for stealing data from other virtual machines running on the same host.

Security firms first discovered Shylock in February 2011. The malware, so named because the code contains references to Shakespeare's The Merchant of Venice, uses man-in-the-middle techniques to steal money from victims' accounts. The program targets several large financial institutions, injecting malicious content into the Websites when displayed in a victim's browser to control sessions and steal information.

The program is actively developed by the cyber-criminal group that created the software. In February, for example, the malware was updated to give the cyber-criminal operator the ability to open a fake customer-service chat window on the victim's computer to allow the online thieves to remotely ask them for sensitive information.

The latest changes aim to make analysis more difficult. While defenders aim to raise the cost to attackers of hacking their systems, attackers have likewise attempted to increase the cost of analyzing their malware. Slowing the defender's ability to react to the latest build of an online hacking tool means a longer window in which to compromise systems.

Many malware variants have aimed at detecting the VMs that researchers use to analyze the programs. Other problems merely delay executing their malicious functions for minutes to hours to days, an effective technique, as security teams typically do not have the resources to wait for a program to do something malicious.

"The techniques prevent a lot of the research from being done in an automated fashion," Tubin said. "If, to analyze malware, the researcher has to run it on an actual machine, that's incredibly inefficient."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...